Cap. 5. Probleme în jessie de care ar trebui să știți

Cuprins

5.1. Starea securității navigatoarelor web
5.2. Puppet 2.7 / 3.7 compatibility
5.3. PHP 5.6 upgrade has behavioural changes
5.4. Upgrading installs the new default init system for Jessie
5.4.1. Stricter handling of failing mounts during boot under systemd
5.5. Jessie udev needs kernel with CONFIG_DEVTMPFS=y (non-standard setups)
5.6. Manual migration of disks encrypted with LUKS whirlpool (non-standard setups)

Uneori, modificările introduse într-o versiune nouă au efecte secundare pe care nu le putem evita în mod rezonabil sau schimbările expun probleme în altă parte. Aceasta secțiune documentează problemele cunoscute. Vă rugăm să citiți și erata, documentația pachetelor relevante, rapoarte de probleme și alte informații menționate în Secțiune 6.1, „Referințe suplimentare”.

5.1. Starea securității navigatoarelor web

Debian 8 include mai multe motoare de navigatoare, care sunt afectate de un flux constant de vulnerabilități de securitate. Rata mare de vulnerabilități și lipsa parțială a suportului din partea dezvoltatorilor în forma unor versiuni cu suport mai lung face ca suportarea acestor navigatoare cu modificări adaptate la versiunea mai veche să fie foarte dificilă. Mai mult, datorită interdependențelor de biblioteci actualizarea la o versiune mai nouă este imposibilă. În aceste condiții, navigatoarele construite pe baza motoarelor webkit, qtwebkit și khtml sunt incluse în Jessie, dar nu au suport de securitate complet. Aceste navigatoare nu ar trebui folosite cu situri web care nu sunt de încredere.

Pentru utilizare generală recomandăm navigatoarele construite pe baza motorului xulrunner (Iceweasel și Iceape), navigatoare bazate pe motorul Webkit (ex. Epiphany) sau Chromium.

Chromium - while built upon the Webkit codebase - is a leaf package, which will be kept up-to-date by rebuilding the current Chromium releases for stable. Iceweasel, Iceape and Icedove will also be kept up-to-date by rebuilding the current ESR releases for stable.

5.2. Puppet 2.7 / 3.7 compatibility

If you are using Puppet, please be aware that Puppet 3.7 is not backwards compatible with Puppet 2.7. Among other things, the scoping rules have changed and many deprecated constructs have been removed. See the Puppet 3.x release notes for some of the changes, although be aware that there are further changes in 3.7.

Checking the log files of your current puppetmaster for deprecation warnings and resolving all of those warnings before proceeding with the upgrade will make it much easier to complete the upgrade. Alternatively, or additionally, testing the manifests with a tool like Puppet catalog test may also find potential issues prior to the upgrade.

When upgrading a Puppet managed system from wheezy to jessie, you must ensure that the corresponding puppetmaster runs at least Puppet version 3.7. If the master is running wheezy's puppetmaster, the managed jessie system will not be able to connect to it.

For more information on incompatability changes, please have a look at Telly upgrade issues and "The Angry Guide to Puppet 3"

5.3. PHP 5.6 upgrade has behavioural changes

The upgrade to Jessie includes an upgrade of PHP from 5.4 to 5.6. This may affect any local PHP scripts and you are advised to check those scripts before upgrading. Below are a selected subset of these issues:

  • To prevent man-in-the-middle attacks against encrypted transfers client streams now verify peer certificates by default.

    As a result of this change, existing code using ssl:// or tls:// stream wrappers (e.g. file_get_contents(), fsockopen(), stream_socket_client()) may no longer connect successfully without manually disabling peer verification via the stream context's "verify_peer" setting.

    For more information about this particular issue, please read this document

  • PHP changes the handling of case-insensitivity in many cases:

    • All internal case insensitivity handling for class, function and constant names is done according to ASCII rules. Current locale settings are ignored.

    • The keywords "self", "parent" and "static" are now always case insensitive.

    • The json_decode() function no longer accepts non-lowercase variants of "boolean" values.

  • The logo GUID functions (e.g. php_logo_guid()) have been removed.

  • It is no longer possible to overwrite keys in static scalar arrays. Please see PHP bug 66015 for an example and more information about this particular issue.

  • The mcrypt_encrypt(), mcrypt_decrypt() and mcrypt_{MODE}() functions no longer accept keys or IVs with incorrect sizes. Furthermore an IV is now required if the used block cipher mode requires it.

For more information or the full list of potential issues, please have a look at upstream's list of backwards incompatible changes for PHP 5.5 and 5.6.

5.4. Upgrading installs the new default init system for Jessie

Jessie ships with systemd-sysv as default init system. If you have a preference for another init such as sysvinit-core or upstart, it is recommended to setup APT pinning prior to the upgrade. As an example, to prevent systemd from being installed during the upgrade, you can create a file called /etc/apt/preferences.d/local-pin-init with the following contents:

Package: systemd-sysv
Pin: release o=Debian
Pin-Priority: -1
  
[Atenție]Atenție

Be advised that some packages may have degraded behaviour or may be lacking features under a non-default init system.

Please note that the upgrade may install packages containing "systemd" in their name even with APT pinning. These alone do not change your init system. To use systemd as your init system, the systemd-sysv package must be installed first.

5.4.1. Stricter handling of failing mounts during boot under systemd

The new default init system, systemd-sysv, has a stricter handling of failing "auto" mounts during boot compared to sysvinit. If it fails to mount an "auto" mount (without the "nofail" option), systemd will drop to an emergency shell rather than continuing the boot.

We recommend that all removable or "optional" mount points (e.g. non-critical network drives) listed in /etc/fstab either have the "noauto" or the "nofail" option.

5.5. Jessie udev needs kernel with CONFIG_DEVTMPFS=y (non-standard setups)

[Notă]Notă

This section is only for people, who compile their own kernel. If you use the kernels compiled by Debian, you can disregard this section.

The udev package in Jessie requires a kernel compiled with "CONFIG_DEVTMPFS=y". Please ensure your kernel is compiled with that option prior to upgrading. For more information see /usr/share/doc/systemd/README.gz.

5.6. Manual migration of disks encrypted with LUKS whirlpool (non-standard setups)

[Notă]Notă

This section is only for people have set up LUKS encrypted disks themselves using the whirlpool hash. The debian-installer never supported creating such disks.

If you have manually setup an encrypted disk with LUKS whirlpool, you will need to migrate it manually to a stronger hash. You can check if your disk is using whirlpool by using the following command:

    # /sbin/cryptsetup luksDump <disk-device> | grep -i whirlpool
  

For more information on migrating, please see item "8.3 Gcrypt 1.6.x and later break Whirlpool" of the cryptsetup FAQ.

[Atenție]Atenție

If you have such a disk, cryptsetup will refuse to decrypt it by default. If your rootdisk or other system disks (e.g. /usr) are encrypted with whirlpool, you should migrate them prior to the first reboot after upgrading cryptsetup.